Memoirs of a Roadie

The changes required as part of the EU Privacy and Electronic Communications Directive, which I discussedlast week, come into effect today (26th May 2011). The Information Commissioner's Office (ICO) released a press release on their website stating that "Organisations and businesses that run websites aimed at UK consumers are being given 12 months to 'get their houses in order'." However, this statement only serves to confuse the issue more. Does this mean that individuals are not covered by the law (the directive implies they are) or does it mean that the leniency given to businesses does not apply to individuals, and thus the full weight of the law and fines will be imposed immediately. The press release also seems to imply that the new law only applies to businesses providing ecommerce websites, so does that mean other businesses and organisations are exempt?

Or, does it mean that those implementing the law and writing press releases are so eager to get something out, they have forgotten that their peace offering to (some?) businesses still leaves a gaping hole in their policy of adhering to the original directive.

And it gets worse. Reading an article on eWeek, George Thompson, information security director at KPMG, is quoted as saying "The new law inadvertently makes the collection of consent - yet another set of sensitive, customer data - compulsory. Companies need to tighten up their data management policies and make absolutely sure that every new data composition is covered." Which leads me to believe that you can now be fined if you don't ask the user to accept cookies, and can be fined if you don't record details of those who said they don't want cookies! Then I assume you can then be fined again if that data isn't securely stored away to adhere to the Data Protection Act.

Did no-one really sit down and think of the implications of all this?

The Register reports that only 2 countries within the EU have notified the Commision that all the rulings have been passed into law, with the other Member States possibly facing infringement proceedings. With such a weight of resistence, wouldn't it be more wise to review the directive properly so all Member States understand and agree to all the implications?

It's not all doom and gloom though. Another article by Brian Clifton on Measuring Success, looks at Google Analytics, and concludes that "Google Analytics uses 1st party cookies to anonymously and in aggregate report on visits to your website. This is very much at the opposite end of the spectrum to who this law is targeting. For Google Analytics users, complying with the ToS (and not using the other techniques described above), there is no great issue here - you already respect your visitors privacy...!" (also read Brian's car counting analogy in comment 3, as well as other comments). In fact Google's own site about Google Analytics supports Brian's conclusion too.

The BBC have posted on their BBC Internet Blog, explaining how they are going to be changing to comply with the law. To begin with they have updated their list of cookies used across all their services. Interestingly they list Google Analytics as 3rd-party cookies, even though they are not, but I think that comes from the misunderstanding many of us had about GA cookies.

Although the ICO website has tried to lead by example, with a form at the top of their pages requesting you accept cookies, this doesn't suit all websites. This method of capturing consent works fine for those generating dynamic websites from self controlled applications, such as ICO's own ASP.NET application, but what about static websites? What about off-the-shelf packages that haven't any support for this sort of requirement?

On the other side of the coin, the ICO themselves have discovered that a cookie used to maintain session state is required by their own application. Providing these are anonymous, the directive would seem to imply that these cookies are exempt, as being "strictly necessary" for the runing of the site. Then again, if they did contain identifying data, but the application wouldn't work without it, is that still "strictly necessary"? A first step for most website owners will be to audit their use of cookies, as the BBC have done, but I wonder how many will view them all as strictly necessary?

It generally means this is going to be an ongoing headache for quite sometime, with ever more questions than answers. As some have noted, it is going to take a legal test case before we truly know what is and isn't acceptable. Here's hoping it goes before a judge well versed with how the internet works, and that common sense prevails.

With thanks to a fellow Perler, Smylers informs me that a Flash Cookie refers to the cookie used by Flash content on a site, which saves state on the users machines, by-passing browsers preferences. Odd that the advice singles out this type of cookie by name though, and not the others.

In an article on the Wall Street Journal I found after posting my article, I found it interesting to discover that the ICO themselves use Google Analytics. So after 25th May, if you visit the ICO website and see no pop-up, I guess that means Google Analytics are good to go. Failing that they'll see a deluge of complaints that their own website fails to follow the EU directive.

I also recommend reading the StatCounter's response too. They also note the problem with the way hosting locations are (not) covered by the directive, and the fact that the protection from behavioural advertising has got lost along the way.

After a discussion about this at the Birmingham.pm Social meeting last night, we came to the considered opinion that this would likely just be a wait and see game. Until the ICO bring a test case to court, we really won't know how much impact this will have. Which brings us back to the motives for the directives. If you're going to take someone to court, only big business is worth fining. Bankrupting an individual or a small business (ICO now have powers to fine up to £500,000) is going to give the ICO, the government and the EU a lot of really negative press.

Having tackled the problem in the wrong way, those the directives sort to bring into line are only going to use other technologies to retrieve and store the data they want. It may even effect EU hoisting companies, if a sizeable portion of their market decide to register and host their websites in non-EU countries.

In the end the only losers will be EU businesses, and thus the EU economy. Did anyone seriously think these directives through?

On May 26th 2011, UK websites must adhere to a EU directive regarding cookies, that still hasn't been finalised. Other member states of the EU are also required to have laws in place that enforce the directive.

Within the web developer world this has caused a considerable amount of confusion and annoyance, for a variety of reasons, and has enabled media outlets to scaremonger the doom and gloom that could befall developers, businesses and users. It wouldn't be so bad if there was a clear piece of legislation that could be read, understood and followed, but there isn't. Even the original EU directives are vague in the presentation of their requirements.

Aside from the ludicrous situation of trying to enforce a law with no actual documentation to abide by (George Orwell would have a field day), and questioning why we are paying polictians for this shambolic situation, I have to question the motives behind the creation of this directive.

The basic Data Protection premise for tightening up the directive is a reasonable one, however the way it has been presented is potentially detremental to the way developers, businesses and users, particularly in the EU, are going to browse and use the internet. The directive needed tightening due to the way advertisers use cookies to track users as they browse the web and target adverts. There has been much to complain about in this regard, and far beyond the use of cookies with companies such as Phorm trying to track information at the server level too. However, the directive has ended up being too vague and covers too wide a perspective to tackle the problem effectively.

Others have already questioned whether it could push users to use non-EU websites to do their business because they get put off using EU based sites. Continually being asked whether you want to have information stored in a cookie every time you visit a website is going to get pretty tiresome pretty quickly. You see, if you do not consent to the use of cookies, that information cannot be saved in a cookie, and so when revisiting the site, the site doesn't know you said no, and will ask you all over again. For those happy to save simple preferences and settings stored in cookies, then you'll be asked once and never again. If you need an example of how bad it could get, Paul Carpenter took a sartirical look at a possible implementation.

On Monday 9th May 2011, the Information Commissioner's Office (ICO) issued an advice notice to UK businesses and organisation on how to comply with the new law. However even their own advice states the document "is a starting point for getting compliant rather than a definitive guide." They even invent cookie types that don't exist! Apparently "Flash Cookies" is a commonly used term, except in the web technology world there are just two types of cookie, Persistent Cookies and Session Cookies. They even reference the website AllAboutCookies, which makes no mention of "Flash Cookies". Still not convinced this is a complete shambolic mess?

The directives currently state that only cookies that are "strictly necessary" to the consumer are exempt from the ruling. In most cases shopping carts have been used as an example of cookie usage which would be exempt. However, it doesn't exempt all 1st party cookies (those that come from the originating domain), and especially targets 3rd party cookies (from other domains). The advice states "The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users' preferences or if you decide to use a cookie to collect statistical information about the use of your website." Both of which have significant disruption potential for both websites and their visitors.

Many of the 1st party cookies I use are Session Cookies, which either store an encrypted key to keep you logged into the site, or store preferences to hide/show elements of the site. You could argue both are strictly necessary or not depending on your view. Of the 3rd party cookies, like many people these days, I use Google Analytics to study the use of my websites. Of particular interest to me is how people find the site, and the search words used that brough the visitor to the site. It could be argued that these are strictly necessary to help allow the site visitor find the site in the first place. Okay its a weak argument, but the point remains that people use these types of analysis to improve their sites and make the visitor experience more worthwhile.

Understandly many people have questioned the implications of using Google Analytics, and on one Google forum thread, the Google approved answer seems to imply that it will only mean websites make it clearer that they use Google Analtyics. However this is at odds with the ICO advice, which says that that isn't enough to comply with the law.

If the ruling had been more explicit about consent for the storing of personal data in cookies, such as a name or e-mail address, or the use of cookies to create a personal profile, such as with advertisier tracking cookies, it would have been much more reasonable and obvious what is permissible. Instead it feels like the politicians are using a wrecking ball to take out a few bricks, but then aiming at the wrong wall.

For a site like CPAN Testers Reports, it is quite likely that I will have to block anyone using the site, unless they explictly allow me to use cookies. The current plan is to redirect people to the static site, which will have Google Analytics switched off, and has no other cookies to require consent. It also doesn't have the full dynamic driven content of the main site. In Germany, which already has much stricter requirements for data protection, several personal bloggers have choosen to not use Google Analytics at all in case they are prosecuted. I'm undecided at the moment whether I will remove GA from my websites, but will watch with interest whether other bloggers use pop-ups or remove GA from their sites.

Perhaps the most frustrating aspect of the directives and the advice is that it discusses only website compliance. It doesn't acknowledge that the websites and services may be hosted on servers outside the EU, although the organisation or domain may have been registered within the EU. It also doesn't differentiate between commercial businesses, voluntary organisations or individuals. Personal bloggers are just as at risk to prosecution as multinational, multibillion [currency of choice] businesses. The ICO is planning to issue a separate guidance on how they intend to enforce these Regulations, but no timescale is given. I hope that they make it absolutely clear that commercial businesses, voluntary organisations or individuals will all be treated differently from each other.

In their eagerness to appear to be doing something, the politicians, in their ignorance, have crafted a very misguided ruling that will largely fail to prevent the tracking of information and creation of personal profiles, which was the original intent of the changes. When companies, such as Phorm, can create all this personal information on their servers, using the same techology to capture the data, but sending it back to a server, rather than saving a cookie, have these directives actually protected us? By and large this will be a resounding No. Have they put in place a mission to disrupt EU business and web usage, and deter some from using EU based websites? Definitely. How much this truly affects web usage remains to be seen, but I suspect initially there will be an increase in pop-ups appearing on websites asking to use cookies.

It will also be interesting to see how many government websites adhere to the rulings too.

Following on from my previous post regarding the Internet Watch Foundation, a fellow Perl programmer, Jacinta Richardson, recently posted on her use.perl blog regarding currently proposed legislation in Australia. To get a bit of background on the subject, read the articles she links to in her post, before reading her reply.

For myself, working in the filtering industry, I'm well aware of the fact that it is impossible to get filtering 100% accurate all the time. Even our Service Level Agreements (SLAs) don't state that, as it is just too difficult to manage. We get very close, and our filter systems are considered to be the best in the world, but we'll never be 100% perfect. As Jacinita highlights in her reply, the owners of the bad stuff change their domains on a regular basis, swap IP addresses and even server locations to avoid detection. In some cases the server locations are beyond law enforcement agencies as they are in countries that have limited or no resources to shut down these operations.

However, the part that irritates Jacinita and the reason why I find objections to this kind of thing important, is the blindly ignorant "you're either with us or with the terrorists" style of retort from officials or self-appointed puritants for the world. Having children of my own, I would never want them to be subjected to indecent or illegal material on the internet. However, the vast majority of that kind of material is very unlikely to be something you would accidentally stumble across. Putting in aggressive filters to scan absolutely everything all of the time, is rarely going to stop those wishing to find that kind of material, and is likely to block more innocent websites than potentially harmful ones. Using scare tactics and accusing your opposition of advocating child pornography is insensitive and irresponsible, and only serves to make you and your arguments look ignorant.

I would be interested to know what recourse a company or individual has on the Australian government, should they block an innocent website that is hosted outside of Australia? The chances are none, and who would you complain to anyway? If your domain is blocked, you'll never get through!

In her reasoning, Bernadette McMenamin uses examples of countries such as the UK who use filtering. Yes we do, and the self-appointed body that tells us what we can and can't see also makes some stupid mistakes and disrupts internet use for the whole country. For all the protection these self-appointed bodies provide, I would rather see more effort put into shutting down the source operations and protecting the children from being abused in the first place, rather than waiting after the fact for government officials to wave their hands limpy, crying "oh, how could this happen, let's ban the internet for children so they can't see it!".

McMenamin claims that British Telecom block 35,000 attempts per day to illegal material. However, how many of them were to truly illegal material and not "potentially illegal" as was highlighted by The Scorpions/Wikipedia incident? How many requests were made by children accessing the content? How many prosecutions were made from these access attempts? How many of the block domains/URLs were taken down? It's easy to throw numbers around, but without substance they are worthless numbers.

Jacinta picked up on an interesting quote by McMenamin - "[T]hose who are aware [of all the facts] are, in effect, advocating child pornography." So by McMenamin's own admission she must be ignorant of all the facts, otherwise she too would be advocating child pornography. Forrest Gump has a reply for Bernadette McMenamin - "Stupid is as stupid does."

Earlier this month there was a rather confusing and worrying blanket "Moral Majority" ban ofa page on Wikipedia. The page in question has now been unblocked and the actual image that started it all has also been unblocked, with the Internet Watch Foundation that instigating the block now backing down in the face of overwhelming resistance to their actions.

The image in question is from the original front cover of the 1976 album release "Virgin Killer" by The Scorpions. At the time of its release in 1976, it courted controvesy and although widely available to all in numerous retail outlets across the world, some outlets did insist on selling it only over the counter in a sealed paper bag, and only a few refused to stock it at all. Following feedback from the retail outlets, the band reissued the album with a cover featuring a group shot of the band. However, the original album cover is still widely available in second record stores and on eBay. Following remastered reissues and boxset packages, the CD is once again available with the original artwork. It has also appeared in many books over the years, often cited amongst a list of worst album covers, some of which can found in public libraries.

I don't know the retail figures, but I can imagine that several thousand heavy metal fans in the UK alone have a copy of the original album, or a reissued remastered CD featuring the image in their collections.

So the decision to ban the image ONLY on wikipedia now (some 32 years after the original image was widely available) seems absolutely idiotic. At first the main page regarding the album was blocked, and appartently it is the first time the IWF has banned a complete work of text. Wikipedia volunteer David Gerard and Sarah Robertson from the IWF were interviewed on BBC Radio 4 as I was driving into work on the day the block was instigated and it was very evident that the woman representing the IWF was rather ignorant of the situation, trying to focus on the fact that they had shown it to the police who had said it was "potentially illegal". Blaming the police, who are NOT judge and jury regarding obscene material is rather irresponsible at best, and only serves to highlight their lack of process in ensuring that if an image is considered illegal, a botched attempt at banning is the best of their abilities.

Wikipedia themselves issued a statement that reads "Due to censorship by the UK self-regulatory agency the Internet Watch Foundation (IWF), most UK residents can no longer edit the volunteer-written encyclopedia, nor can they access an article in it describing a 32-year-old album by German rock group the Scorpions." In addition Wikimedia Foundation's General Counsel, Mike Godwin, is also quoted as saying "We have no reason to believe the article, or the image contained in the article, has been held to be illegal in any jurisdiction anywhere in the world."

So although the image was deemed "potentially illegal" by the UK police the IWF spoke to, for the past 32 years no country has ever passed a judgement and condemed the image as illegal. It might be inappropriate, but not illegal.

And so to a bigger question. Why Wikipedia? In fact why ONLY Wikipedia? The image was wide spread across the internet, in places such as Google's image cache, on various retail sites, including Amazon, The Scorpions own website and countless others. Could it be that Wikipedia is unlikely to be in a position to sue them for blocking their site? I can well imagine that Amazon and any other major retailer would have drafted in lawyers within seconds and be issuing writs for comercial damages. Not something the IWF would be equipped to deal with, particularly since they are an independent self-appointed body, without official government backing.

Following on from that last point, the perhaps more important question is if this body is self-appointed, without government backing, who is reviewing the practices of the Internet Watch Foundation? While in many instances they may well be protecting us from illegal images, without proper regulation and governance, instances like the blocking of Wikipedia will happen again.

The scary thing in all of this is that possessing the album has never been considered illegal, and indeed would have been very difficult to prosecute now 32 years later, but the IWF seem to believe that that doesn't matter and effectively attempted to criminalise a potentially significant portion of the UK population. Should they have that power? In my opinion no, as it should be the police and the courts who govern what is actually illegal.

Because of the fact that most ISPs in the UK currently sign up to the IWF block lists, this incident was felt instantly across the UK for anyone contributing to Wikipedia. Having now blown such a big hole in their metaphorical foot, I suspect the IWF may well be a little more careful about what they block and maybe, just maybe, they might even provide better justification for blocking images and pages in the future. However, it still worries me that they can potentially criminalise a publicly available image by dubious means and make criminals out of the population, without having any jurisdiction to do so. It's not big brother we have to worry about any more it's the nanny state. Tipper Gore still has a lot to answer for.

In July 2008 I received a letter from my opticians (Dollond & Aitchison), which I've only just got around to reading, and basically proclaims I am breaking the law for doing nothing! Apparently it regards a bit of new legislation that I've never heard of and which they fail to back up with any reference to the actual legislation. The actual quote is:

"Legislation designed to protect the health of your eyes means you are required to have a regular check to ensure that we can continue to supply you with contact lenses."

Further into the letter they also say:

"You must act before 21/07/2008 otherwise we cannot supply you with any more lenses."

So now I'm a criminal and blacklisted by D&A from them ever supplying me any contacts lenses ever again! WTF! How to drive away business in a nutshell. I have tried to phone their office, but keep getting an answer phone, so will have to wait to attempt to follow this up. However, I cannot believe a company would be so stupid as to commit commercial suicide by selling their customers this kind of rubbish.

There is no law that I am aware of that has ever been drawn up, that now means several million people in the UK are now criminals for never had their eyes checked in the last year. Or is it just contact lens wearers? On top of that, that any previous supplier to that (now branded) criminal is now banned for life from ever supplying contact lenses to that criminal. Now I am willing to be educated, so I'll pursue this as I don't believe that the message they are selling is the correct one. If it is then this country is in an even bigger quagmire than I thought, and if it isn't then I'd like to know why they think it's a good sales initiative to use scare tactics to frighten their customers into getting a contact lens check.

To be continued....

If anyone out there in webland is aware of the appropriate legislation and can point me at an online version, I'd be very grateful. If anyone from D&A reads this, then feel free to contact me to explain why you think threatening your customers is a good sales tactic.

Perhaps unsurprisingly, I don't have a lot of respect for Record Companies these days. Once upon a time their founders and executives were people who had a passion for the music, and were more interested in investing and supporting their artists, with a view of the long haul. For some bands, such as The Rolling Stones, Led Zeppelin, U2 and many others, the rewards have been emmense for all concerned. However, since the mid-80s the major labels have bought each other out, or merged to the point we now have only 4 companies effectively deciding the future of the music industry in the US and Europe. None of the executives are in it for the music, and probably wouldn't even be able to name half of the artists they look after.

As such it is no surprise that the music sharing litigation debacles that has been lingering around for the last 8 years, are still going strong. In one case, Tanya Andersen was falsely accused by the RIAA of illegal file sharing. Now in most instances that story wouldn't make much of an impression. However, what came to light in this case is that the RIAA (and consequently the big 4 behind that organisation), were so determined to win the case they tried to contact Tanya's daughter, in order for her to confess of her mother's file sharing activities. Now bearing in mind the fact that Tanya's daughter is 8 years old, and that investigators had made several attempts to contact her daughter, including contacting her elementary school (primary school for UK readers), without Tanya's knowledge or permission, many would consider that intimidation.

Tanya's lawyers have now filed a suit for $5 million, for malicious prosecution, "alleging fraud, racketeering, and deceptive business practices by the record labels." I sincerely hope she wins the case, sending a message to all those ripping the credibility out of what was once a great music industry, that bullies and money grabbing tactics are not wanted here. If she wins, it could lead to a class-action suit, opening the floodgates for others who have also been falsely accused. In a recent update to the ongoing action, Tanya's lawyer was awarded $103,175 in legal fees following the dropping of the charges against Tanya. In another story it seems the tactics are now finally being investigated in North Carolina. If it's illegal for anyone to hack into a company computer, why do these record companies think it's legal to hack into an individual's computer? These aren't isolated stories either, there appear to be several cases that are taking on the RIAA.

I spotted the story of Julie Amero on the BBC News site this morning. While I'm glad there has been some sense to provide a second trial, with more appropriate evidence, I'm also disappointed that this should ever come to trial in the way it has. While I totally agree that minors shouldn't be exposed to the kind of images these sites promote, I also don't agree that a single SUBSTITUTE teacher should be held accountable in the way that she has.

Firstly she's a substitute teacher, meaning that her knowledge of the computer security systems is likely to be extremely limited at best and more likely non-existent. Did the school fully brief her on the security measures they have in place? Perhaps she should be suing the school or the state for not reasonably putting in place security measures to prevent children being exposed to this sort of thing in the first place. However, that perhaps also isn't fair, as in far too many cases the school or the local governement don't have any idea about computer security. It's why there are specialist computer security companies that are called in to investigate and secure companies and organisations.

I work for a company called MessageLabs. We work in an industry where stopping malicious content is part and parcel of the job. When you consider that in email alone we stop over 70% of mail as spam, virus, inappropriate content or illegal images and are also seeing increasing numbers within our web scanning and instant messaging serives too, computer security is a huge and very specialised business. MessageLabs are the largest company of it's kind in the world, and as such, every minute we stop hundreds of messages with the sort of payloads that would cause this kind of content to be popped up on unsuspecting computers. Are you really expecting a substitute teacher to have that level of knowledge and skill?

Part of the problem is education, and that isn't meant to be ironic. In Julie Amero's case, if the prosecution wins, then we are now expecting every single person to be accountable for ensuring every single aspect of their work environment is not going to get them arrested. By implication, we're also now stipulating that every single individual MUST be come a security expert. That ain't gonna happen. In my opinon this focus is totally misplaced. The responsibility for protection at the workplace lies solely with the employer. In this instance the school or state should have taken reasonable steps to ensure that all computer security measures were deployed to ensure that the desktop computers were adequately protected, and that their network was also appropriately protected, both from intrusion and in restricting the sites that can be viewed by any computer in the school. But whether you take action against the individual or the school or the state, you are still prosecuting the victims.

Taking a step back, the law basically stipulates that minor should not be exposed to this sort of imagery, which I agree with. However, as the law is very bad at being able to hold those truly responsible accountable, they go after easy prey. Although I do believe the law could be better written to make this sort of thing virtually disappear over night.

This kind of promotion is typically from the pornographic, gaming and drug industries. None of which a minor should be exposed to. What if the law found the owners of those sites personally accountable for the distribution of harmful matter to minors? What if institutions, such as schools, colleges and libraries, or businesses, such as internet cafes, and maybe even individuals in the right circumstances were able to prosecute the site owners? How quickly do you think that this sort of invasion would disappear? Unfortunately, those three industries are extremely big business, and can employ people to ensure that bills don't get passed that would effect them in this way. As such the justice systems become corrupt by allowing victims such as Julie Amero to be held up as a scapecoat.

I really hope that the prosecution's case fails, as otherwise the kind of precedence it will set, really isn't something I want to think about.

There is some talk of resisting the forthcoming government ban of smoking in enclosed places. Being a non-smoker I'm going to be quite relieved to not go home stinking of someone's smoke after a night out. If you're a smoker, take a step back and ask yourself the following:

Would you light up at a restaurant?

Would you light up at your work place, if you work in an office?

Would you light up in the cinema?

Would you light up on the bus?

In many cases, hopefully most, you'll have answered no. However, it wasn't that long ago that you could quite happily do all of the above without worrying about being fined or worse. The latest moves to make pubs smoke free, at least inside, will eventually become as expected as the 4 places listed above.

Although it doesn't stop me from going out, I do know of others who avoid smokey pubs for health reasons. For non-smokers it isn't a nice taste or smell to have to endure. I already help pay for the damage done through smoking related illnesses, I'd rather that money was spent on treating conditions and diseases that sufferers have not bought upon themselves.

Privacy Policy

Unless otherwise expressly stated, all original material of whatever nature created by Barbie and included in the
Memories Of A Roadie website and any related pages, including the website's archives, is licensed under a
Creative Commons by Attribution Non-Commercial License.
If you wish to use material for commercial puposes, please contact me
for further assistance regarding commercial licensing.